Safe handling of cell phones

The “safe handling of cell phones” is a basic training for more privacy and security in everyday mobile life. I want to show that security and privacy are possible on cell phones.

And similar to a driver’s license for a car, you learn the rules to bring your cell phone and apps under your control. It doesn’t matter if you use an iPhone, Android or Linux phone.

Once you have internalized everything, you can implement it step by step with your own cell phone. At the end you will find, as always, a collection of links with essential contributions to the topic. I look forward to any hints, questions or feedback.

Behavior and basics

Everywhere in offline life there are rules or behaviors that we follow. Some are prescribed and others we stick to intuitively because it’s just better or safer for us. For example, that you have to signal when changing lanes on the freeway, that it’s better to apply the handbrake when parking, or that you shouldn’t leave any valuables in the car.

Similar, recommended behaviors exist in digital life, when using a cell phone. Only there is no “driving school” for it yet, no training and no safety briefing. Before you continue here, take a quick look at the 10 basic rules for your online life.

What should you definitely pay attention to?

Automatic updates of the operating system

In addition to fixing general bugs and improvements, operating system updates always fix security issues. Many updates become necessary in the first place because of discovered security flaws. It is therefore very important that you provide your cell phone with updates – preferably automatically.

Access lock with passcode

The passcode unlocks and decrypts your cell phone. If you lose your device or someone wants to search your device at a border, for example, it is very difficult without a passcode. It is therefore important to assign an individual and unique passcode and keep it secret.

Security experts and cryptanalysts would tell you that your passcode needs to be as secure and as long as possible – preferably a long, alphanumeric password phrase. But in your daily life, do you manage to enter this passcode into your phone all the time?

I would say start with a 6 digit really, random number. If that works well, take the next step and create yourself a longer, alphanumeric passcode.

For review, read the article on strong passwords and password phrases from BaseCamp.

Write down the passcode on a blank index card. Put it in a place where it will not be noticed. If you already have an app to manage all your passwords(Password Manager), enter the passcode there.

Unlock with fingerprint or Face ID?

Many cell phones offer fingerprint or facial recognition unlocking. Your passcode is then linked to your face or a fingerprint. This is a very convenient way to enter a long, secure passcode quickly.

However, if you use this option, it is possible that someone will hold your iPhone in front of your face or force you to take a fingerprint. Cell phone searches, especially at borders, now exist in many countries.

You now have two ways to deal with the issue:

a) you do not use facial recognition and fingerprint to unlock the device, but only to access online banking, password manager or wallet more easily in an already unlocked state. That is my recommendation.

b) or you use facial recognition and fingerprint also for unlocking, but you have to remember to disable unlocking by facial recognition/fingerprint e.g. before a trip abroad.

A separate password for each account

Assign a separate, secure password or passphrase for each account, each access, each provider.

Password Manager

Install a trusted password manager so that you can securely manage your various passwords. This way you only need to remember one secure password. This for the password manager.

Since the password manager allows you to enter your passwords in the cell phone and in the browser in the same way, it will also make your online life many easier.

Take your pictures and videos only without location information

Basically, you should not give your camera access to your location in the privacy settings of your cell phone. Thus, no location can be stored in images and videos.

Avoid the clouds… of Apple, Google, Microsoft and Co.

Cloud services are actually a great thing. You can think of it as an invisible server on the Internet. All your devices can access this server. You can use it to back up your pictures and keep your contacts and emails in sync on all your devices. And of course, safely store all other document there. So much for the theory…

Whether this information remains confidential depends on who owns this server / cloud service on the network.

Of course, the ideal situation is when a cloud provider only receives your data in encrypted form and thus has no knowledge of your data. Only you, looking at the data on your cell phone, for example, can decrypt and read it. This is called “zero-knowledge.”

I recommend you to completely avoid the clouds of Apple, Google, Microsoft and Co. Check out the CloudPirat toolbox and see trusted alternatives.

Your apps under your control

Apps extend the functionality of your cell phone. And there’s nothing better than trying out a new app quickly. A harmless game, the better weather report, the connection to the fitness watch or an ingenious routing app for cycling or hiking.

What do you have to pay attention to?

Most apps have a small side job besides their main task (e.g. displaying the weather report). They collect lots of private data about you. They transmit this data to their developer / manufacturer. Much of this data is marketed, condensed into a personal profile and misused for online advertising or passed on to data traders.

App developers often argue that they need this data to give you better or more accurate results. Here’s where you need to look closely. It’s clear that a navigation app like Google Maps needs your location. With a weather app where you can conveniently change the location for your weather, the app never needs your exact location.

What private data can apps collect?

Besides your actual user data (Who are you?), your app usage (What are you doing?, What are you typing?), app makers are most interested in your real-time location, your contacts, and the data from your phone’s sensors. These are, for example:

• GPS sensor – your exact position every day and every hour
• Camera – pictures, movies
• Microphone – entertainment, ambient noise, mood, speech recognition
• Movement – vibration, position, gait, up and down movement, your fitness
• Proximity – approach of objects, via electromagnetism or infrared.
• Bluethooth & Ultra Wide Band – Who’s Around? Transmission of data over short distances

What can you do?

For many things you don’t even need an app – just use your phone’s browser instead of installing a new app every time! For example, you don’t need the BBC app on your phone to read BBC news. You can visit the BBC website via your mobile browser and read the news there.

A new app can be more of a threat to your privacy and security, while a secure and trusted browser protects you.

For example, as an alternative to the app, I save the links to my news sites (e.g. from the BBC) as bookmarks in the browser. Some browsers (e.g. Safari) also allow website links to be saved directly to the cell phone screen. Then it looks like an app, but it’s just a link.

Reduce the number of your apps to a minimum – Take a gradual approach and delete a couple each day. Replace them with bookmarks or links on your screen. Especially delete social media apps like Twitter, Instagram, WhatsApp, Telegram, Facebook Messenger, TikTok and SnapChat. By the way, apps from dating portals don’t belong on a cell phone either.

Reduce app access to sensors – You should be extremely careful that only a few, hand-picked apps get access to your sensors. And only ever while you’re using the app! You should check this from time to time and then trim back hard.

You should also not lightly confirm an app’s nonsensical requests to access your location at any time. Rather consider deleting this app.

Use only privacy-friendly apps if possible – in my CloudPirat Privacy Toolbox I have presented privacy-friendly and source-open apps for the most important application areas. They are checked by experts, tested by me and kept up to date. Most have been a permanent part of my online life since 2016.

PS: Open source means that the app’s code has been published and that experts can check if the app does things it shouldn’t do besides its actual function.

Pay attention to privacy ratings – If you hear of another cool app, check out its privacy rating first before installing it. Both the Apple App Store and the Google PlayStore now offer privacy rating. If you are not sure, do not install it or look for open source solutions.

PS: In the Android world, there is an app store called F-Droid. There are only free and open-source apps that protect your privacy per se.

Don’t get new accounts – Often, after installing a new app, you need an extra app account to use this app. Of course, you have to decide how important the app’s function is to you. When I come across something like this, I usually spontaneously delete the app.

As a rule, such usually small providers cannot protect your data. They do get hacked at some point. You can save yourself the trouble.

Which cell phones can you use?

After a small guide to the use of cell phones, I now suggest two cell phones that you can use to implement the behaviors well. But first, a little excursion on mobile phone security.

Cell phone security

In the development of cell phones such as the iPhone or Android phones, user security was considered as a fundamental component from the very beginning. From the beginning, they contain concepts such as:

Sandboxing – Each app is “locked” in its own sandbox and not allowed to play with the “other kids”. Simply put, this is intended to curb the spread of malware.

Verified boot of the operating system – Only the operating system that is unaltered and not modified by “strangers” can be started. This is also called “Advanced Verified Boot” (AVB).

Modern exploit defense mechanisms – a kind of caries profilaxis for not yet detected vulnerabilities, actually programming errors or insufficiently tested features of the manufacturer.

Therefore, our mobile phones are already much better protected by default than, for example, our PCs. maidanSecurity and Privacy Advice | Madaidan’s Insecurities

(1) Google Pixel from version 6 with the GrapheneOS operating system.

A Google Pixel cell phone with GrapheneOS as the operating system is a secure and trustworthy combination.

But no matter how good and safe the technology is. You have to have the behaviors down. Your behavior and discipline affect your safety and privacy 100%.

Why a Pixel from Google of all things?

Pixel phones have stronger hardware security than any other Android device currently on the market. They offer an “Advanced Verified Boot” even for third-party operating systems (e.g. GrapheneOS), have Google’s Titan security chips on board. Google guarantees 5 years of security updates starting with the “Pixel 6”.

In GrapheneOS is an Android operating system without Google components. The developers of GraphenOS have provided many features from the beginning to protect your privacy.

How to install GrapheneOS on your Pixel and what else you can do yourself to participate safely and privately in online life with your GrapheneOS phone, I describe in an extra BaseCamp article (in preparation).

(2) A current iPhone with current iOS operating system – without jailbreak.

A current iPhone is technically a secure cell phone. However, you may be entrusting your privacy and parts of your private data to Apple. Here I explain which settings and apps you can use to safely and privately participate in online life on an iPhone.

What are the alternatives?

Why not a “normal” Android phone, for example? – You should not use a standard Google Android cell phone, such as the one found on a Samsung or Huawei cell phone. In my opinion, it is difficult to impossible to protect your privacy (and data) from Google.

Why no other “de-googled” Android? – GrapheneOS in combination with the Google Pixel is a safe and private thing. Almost anyone can install it themselves. It is precisely because GrapheneOS only focuses on this one technically good phone that it is a good combo.

Nevertheless, I would like to point out the following two “de-googled Android” operating systems:

LineageOS – offers hardware support for very many smartphone manufacturers. Unfortunately, it is difficult to install for a layman. Unfortunately, it doesn’t work at all on some phones and in some series. Security and privacy are not as pronounced in the state of delivery as they are in GrapheneOS. For me, it was a dead end.

CalyxOS – a promising project for a secure and private Android. If you want to compare CalyxOS with GrapheneOS you can go here and here.

Why not a professional security phone? – I consider a GrapheneOS phone in particular, but also a carefully configured and up-to-date iPhone – in combination with apps that support security and privacy – to be a better and everyday alternative for most of the people. If you still want to have a look at Security Phones, you will find them e.g. at Sirin Labs, Silent Circle or Purism .